Jérôme, Thanks for your help. I'm using the default ant pattern matching service definition syntax. Here is my service definition: https://wiki-test.cache.denison.edu/**
If I type a service URL that does not match the ant pattern I get the following and correct log message and the user sees an error page stating "Application Not Authorized to Use CAS": 2013-04-10 08:06:45,984 WARN [org.jasig.cas.web.flow.ServiceAuthorizationCheck] - <Unauthorized Service Access for Service: [ https://wiki-test.cache.denison.edeu/ ] - service is not defined in the service registry.> Where it gets interesting is when the pattern matches case insensitively. CAS will allow the service, authenticate the user, grant the ST and TGT (if needed), and then appears to do a case sensitive service lookup which fails leaving the user on the CAS server. Below is a log snippet showing that behaviour: 2013-04-10 08:07:21,138 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: hTtPs://WiKi-test.cache.denison.edu/> 2013-04-10 08:07:51,142 DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Performing LDAP bind with credential: [snipped]> 2013-04-10 08:07:51,201 DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Password change not required for testuser> 2013-04-10 08:07:51,202 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated [username: testuser]> 2013-04-10 08:07:51,202 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Attempting to resolve a principal...> 2013-04-10 08:07:51,202 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - <Attempting to resolve a principal...> 2013-04-10 08:07:51,203 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - <Creating SimplePrincipal for [testuser]> 2013-04-10 08:07:51,203 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Resolved testuser. Trying LDAP resolve now...> 2013-04-10 08:07:51,214 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <LDAP search with filter "(uid=testuser)"> 2013-04-10 08:07:51,214 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <returning searchcontrols: scope=2; search base=[snipped]; attributes=[uid]; timeout=1000> 2013-04-10 08:07:51,269 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Resolved testuser to testuser> 2013-04-10 08:07:51,269 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Creating SimplePrincipal for [testuser]> 2013-04-10 08:07:51,324 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal testuser> 2013-04-10 08:07:51,324 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler@436567b9authenticated testuser with credential [username: testuser].> 2013-04-10 08:07:51,324 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map for testuser: {UDC_IDENTIFIER=[snipped], uid=testuser}> Audit trail record BEGIN ============================================================= WHO: [username: testuser] WHAT: supplied credentials: [username: testuser] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Wed Apr 10 08:07:51 EDT 2013 CLIENT IP ADDRESS: [snipped] SERVER IP ADDRESS: unknown ============================================================= 2013-04-10 08:07:51,332 DEBUG [org.jasig.cas.ticket.registry.JpaTicketRegistry] - <Added ticket [ TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu] to registry.> Audit trail record BEGIN ============================================================= WHO: [username: testuser] WHAT: TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Wed Apr 10 08:07:51 EDT 2013 CLIENT IP ADDRESS: [snipped] SERVER IP ADDRESS: unknown ============================================================= 2013-04-10 08:07:51,367 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed cookie with name [CASPRIVACY]> 2013-04-10 08:07:51,368 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Starting search with searchFilter: (uid=testuser)> 2013-04-10 08:07:51,368 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Returning attributes pwdChangedTime:pwdExpireWarning:pwdMaxAge:hasSubordinates> 2013-04-10 08:07:51,424 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <No warning attribute value for hasSubordinates is set to: FALSE> 2013-04-10 08:07:51,424 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Account password will never expire. Skipping password warning check...> 2013-04-10 08:07:51,425 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie with name [CASTGC] and value [ TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu ]> 2013-04-10 08:07:51,441 DEBUG [org.jasig.cas.ticket.registry.JpaTicketRegistry] - <Updated ticket [ TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu ].> 2013-04-10 08:07:51,443 DEBUG [org.jasig.cas.ticket.registry.JpaTicketRegistry] - <Added ticket [ ST-2-oLbFoymioi9ebZ2TSGwq-login-dev.cache.denison.edu] to registry.> 2013-04-10 08:07:51,445 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ ST-2-oLbFoymioi9ebZ2TSGwq-login-dev.cache.denison.edu] for service [ hTtPs://WiKi-test.cache.denison.edu/] for user [testuser]> Audit trail record BEGIN ============================================================= WHO: testuser WHAT: ST-2-oLbFoymioi9ebZ2TSGwq-login-dev.cache.denison.edu for hTtPs://WiKi-test.cache.denison.edu/ ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Wed Apr 10 08:07:51 EDT 2013 CLIENT IP ADDRESS: [snipped] SERVER IP ADDRESS: unknown ============================================================= 2013-04-10 08:07:51,508 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not generate service.> 2013-04-10 08:07:51,508 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not generate service.> 2013-04-10 08:07:51,509 DEBUG [org.jasig.cas.web.support.GoogleAccountsArgumentExtractor] - <Extractor did not generate service.> On Wed, Apr 10, 2013 at 6:26 AM, jleleu <[email protected]> wrote: > Hi, > > Your problem is very strange. Doing some basic tests, I get an > "unauthorized screen" as I have defined an in memory regexp service : > http*://**. > > Can you turn on DEBUG logs on org.jasig.cas and post them ? > > Thanks, > Jérôme > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- Michael Herring Information Technology Services Web Developer Denison University 740-587-6360 [email protected] -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
